New authentication plan takes shape

Taking a cue from industry, the government is shifting to a federated approach for authenticating users of e-government services.

Rather than a central gateway'an approach that E-Authentication project leaders dumped last month'the federated model will depend on third-party credential providers to validate transactions between agencies and the public.

'We needed an E-Authentication infrastructure that will use existing standards, adopt industry practices and ensure there is interoperability and security for all programs,' said Drew Ladner, chairman of the Executive Steering Committee created this summer to oversee the E-Authentication Quicksilver project. 'We needed a solution that was highly scalable and had a technical architecture that was consistent with industry,' he said.

The Office of Management and Budget and the General Services Administration, the project's lead agency, last month announced they would move away from the gateway model through which all agency transactions would connect through a single authentication portal.

'I think a central gateway was kind of a utopian dream,' said George Schu, vice president for public-sector business development of VeriSign Inc. of Dulles, Va. 'Operationally, it was not achievable. I give credit to GSA for recognizing that and moving to a federated model, which is more achievable.'

Identity protection

Most transactions that citizens perform with banks, health care providers and other industries rely on the federated model because it lets users protect their identity, said Simon Nicholson, chairman of the business and marketing expert group of the Liberty Alliance. The alliance is an industry consortium, whose members include EDS Corp., Lockheed Martin Corp., Sun Microsystems Inc. and VeriSign.

Nicholson said the federated model in the commercial sector lets users decide whom to share their information with, such as banks and credit card companies. Citizens also can go to an identity provider to authenticate themselves once and do all their business with several service providers.

Schu said the federated model will provide the government with privacy, security and redundancy because agencies need not depend on one set of servers or one gateway.

Ironically, the decision to shift from a gateway approach came after a successful pilot using a centralized model, said Ladner, who is also CIO for the Treasury Department. GSA set up a pilot with Mitretek Systems Inc. in Falls Church, Va., to test four vendor technologies with the Agriculture Department's National Finance Center and the Social Security Administration. Ladner and GSA would not name the contractors who participated in the pilot.

It was unlikely that the centralized gateway could scale for use by every agency and for every application, Schu said.

'The idea of building one megagateway for all credentials would have been hard to pull off because technically it was too complicated,' he said. 'GSA understood that as time went on.'GSA has spent more than $2 million'from the E-Government Fund and agency contributions'on the project so far.

GSA spokeswoman Viki Reath said officials would not discuss the project at this time.

'The goal of Phase 1 was to understand if we could successfully integrate a number of key technologies in an authentication solution,' Ladner said. 'We achieved our objective of Phase 1, but we realized we needed a technical architecture that will meet the different goals of Phase 2.'For the second phase, scalability is one of the most critical factors, Ladner said.

Ladner said GSA and the Executive Steering Committee are expanding the E-Authentication business case to reflect the new model and architecture.